#!/bin/bash


# 1 Initial Setup 初始设置

# 1.1 Filesystem Configuration 文件系统配置

# 1.1.1 Disable unused filesystems 禁用未使用的文件系统

# 1.1.1.1 Ensure mounting of cramfs filesystems is disabled
disable_cramfs() {
test_module_disabled "cramfs"
}

# 1.1.1.2 Ensure mounting of squashfs filesystems is disabled
disable_squashfs() {
test_module_disabled "squashfs"
}

# 1.1.1.3 Ensure mounting of udf filesystems is disabled
disable_udf() {
test_module_disabled "udf"
}

# 1.1.2 Ensure /tmp is mountd
mount_tmp() {
test_mount "/tmp"
}

# 1.1.3 Ensure noexec option set on /tmp partition
noexec_tmp() {
test_mount_option "/tmp" "noexec"
}

# 1.1.4 Ensure nodev option set on /tmp partition
nodev_tmp() {
test_mount_option "/tmp" "nodev"
}

# 1.1.5 Ensure nosuid option set on /tmp partition
nosuid_tmp() {
test_mount_option "/tmp" "nosuid"
}

# 1.1.6 Ensure /dev/shm is mountd
mount_shm() {
test_mount "/dev/shm"
}

# 1.1.7 Ensure noexec option set on /dev/shm partition
noexec_shm() {
test_mount_option "/dev/shm" "noexec"
}

# 1.1.8 Ensure nodev option set on /dev/shm partition
nodev_shm() {
test_mount_option "/dev/shm" "nodev"
}

# 1.1.9 Ensure nosuid option set on /dev/shm partition
nosuid_shm() {
test_mount_option "/dev/shm" "nosuid"
}

# 1.1.10 Ensure mount partition exists for /var
mount_var() {
test_mount "/var"
}

# 1.1.11 Ensure mount partition exists for /var/tmp
mount_var_tmp() {
test_mount "/var/tmp"
}

# 1.1.12 Ensure /var/tmp partition includes the noexec option
noexec_var_tmp() {
test_mount_option "/var/tmp" "noexec"
}

# 1.1.13 Ensure /var/tmp partition includes the nodev option
nodev_var_tmp() {
test_mount_option "/var/tmp" "nodev"
}

# 1.1.14 Ensure /var/tmp partition includes the nosuid option
nosuid_var_tmp() {
test_mount_option "/var/tmp" "nosuid"

}

# 1.1.15 Ensure mount partition exists for /var/log
mount_var_log() {
test_mount "/var/log"
}

# 1.1.16 Ensure mount partition exists for /var/log/audit
mount_var_log_audit() {
test_mount "/var/log/audit"
}

# 1.1.17 Ensure mount partition exists for /home
mount_home() {
test_mount "/home"
}

# 1.1.18 Ensure /home partition includes the nodev option
nodev_home() {
test_mount_option "/home" "nodev"
}

# 1.1.19 Ensure removable media partitions include noexec option
noexec_media() {
test_mount_option "/media" "noexec"
}

# 1.1.20 Ensure nodev option set on removable media partitions
nodev_media() {
test_mount_option "/media" "nodev"
}

# 1.1.21 Ensure nosuid option set on removable media partitions
nosuid_media() {
test_mount_option "/media" "nosuid"
}

#1.1.22 Ensure sticky bit is set on all world-writable directories
sticky(){
test_sticky
}
#1.1.23 Disable Automounting
autofs_disable(){
test_service_disable "autofs"
}

#1.1.24 Disable USB Storage
disable_usb-storage() {
test_module_disabled " usb-storage"
}
#1.2 Configure Software Updates
#1.2.1 Ensure GPG keys are configured
gpg_keys() {
test_rpm_installed "gpg-pubkey"
}

#1.2.2 Ensure package manager repositories are configured
repolist_no_null() {
test_repolist
}
#1.2.3 Ensure gpgtest is globally activated
gpgcheck_true() {
test_gpgcheck
}
#1.3 Filesystem Integrity Checking
#1.3.1 Ensure AIDE is installed
aide_installed() {
test_rpm_installed "aide"
}
#1.3.2 Ensure filesystem integrity is regularly tested
aide_crontab() {
test_crontab "aide" "0 5 * * * /usr/sbin/aide --check"
}
#1.4 Secure Boot Settings
#1.4.1 Ensure bootloader password is set
grub2_password() {
test_grub2_password 
}

#1.4.2 Ensure permissions on bootloader config are configured
grub2_permissions() {
test_grub2_permissions 
}
#1.4.3 Ensure authentication required for single user mode
grub2_auth() {
test_grub2_auth 
}
#1.5 Additional Process Hardening
#1.5.1 Ensure core dumps are restricted
hard_core() {
test_restrict_core_dumps
}
#1.5.2 Ensure XD/NX support is enabled
xd_nx() {
test_xd_nx_support_enabled
}

#1.5.3 Ensure address space layout randomization (ASLR) is enabled
aslr() {
test_sysctl kernel.randomize_va_space
}
#1.5.4 Ensure prelink is not installed
prelink_uninstalld() {
test_rpm_uninstalled "prelink"
}

#1.6 Mandatory Access Control
#1.6.1 Configure SELinux
#1.6.1.1 Ensure SELinux is installed
selinux_installed() {
test_rpm_installed "selinux"
}

#1.6.1.2 Ensure SELinux is not disabled in bootloader configuration
selinux_grub2cfg() {
test_selinux_grubcfg
}

#1.6.1.3 Ensure SELinux policy is configured
selinux_policy() {
selinux_installed || return 2    
test_selinux_policy
}
#1.6.1.4 Ensure the SELinux mode is enforcing or permissive

selinux_state_permissive() {
selinux_installed || return 2     
test_selinux_state_permissive
}

#1.6.1.5 Ensure the SELinux mode is enforcing
selinux_state_enforcing() {
selinux_installed || return 2 
test_selinux_state_enforcing
}

#1.6.1.6 Ensure no unconfined services exist
unconfined_procs() {
test_unconfined_procs 
}
#1.6.1.7 Ensure SETroubleshoot is not installed
setroubleshoot_uninstalled() {
test_rpm_uninstalled "setroubleshoot"
}

#1.6.1.8 Ensure the MCS Translation Service (mcstrans) is not installed
MCS_uninstalled() {
test_rpm_uninstalled "mcstrans"
}
#1.7 Command Line Warning Banners
#1.7.1 Ensure message of the day is configured properly
motd_banner() {
test_banner ${MOTD}
}

#1.7.2 Ensure local login warning banner is configured properly
issue_banner() {
test_banner ${ISSUE}
}

#1.7.3 Ensure remo login warning banner is configured properly
issue_net_banner() {
test_banner ${ISSUE_NET}
}

#1.7.4 Ensure permissions on /etc/motd are configured
motd_permissions() {
test_permissions_0644_root_root ${MOTD}
}

#1.7.5 Ensure permissions on /etc/issue are configured
issue_permissions() {
test_permissions_0644_root_root ${ISSUE}
}

#1.7.6 Ensure permissions on /etc/issue.net are configured
issue_net_permissions() {
test_permissions_0644_root_root ${ISSUE_NET}
}

#1.8 GNOME Display Manager
#1.8.1 Ensure GNOME Display Manager is removed
gdm_uninstalled() {
test_rpm_uninstalled "gdm"
}

#1.8.2 Ensure GDM login banner is configured
gdm_configured() {
test_gdm_configured
}
#1.8.3 Ensure last logged in user display is disabled
gdm_disabled() {
test_gdm_disabled
}

#1.8.4 Ensure XDCMP is not enabled
XDMCP_disabled(){
test_XDMCP_disabled
}

#1.9 Ensure updates, patches, and additional security software are installed
yum_check_update() {
test_yum_check_update
}

#2.1 inetd Services
#2.1.1 Ensure xinetd is not installed   
xinetd_uninstalled(){
test_rpm_uninstalled "xinetd" 
}

#2.2 Special Purpose Services                                                                                                            
#2.2.1 Time Synchronization                                                                                                        
#2.2.1.1 Ensure time synchronization is in use   
time_sync_services(){
test_time_sync_services_enabled
}

#2.2.1.2 Ensure chrony is configured   
chrony_cfg(){
test_rpm_installed "chrony" || return 2       
test_chrony_cfg
}

#2.2.1.3 Ensure ntp is configured   
ntp_cfg(){
test_rpm_installed "ntp" || return 2    
test_ntp_cfg
}

#2.2.2 Ensure X11 Server components are not installed   
x11_uninstalled(){
test_rpm_uninstalled "xorg-x11-server*"
}

#2.2.3 Ensure Avahi Server is not installed   
avahi_uninstalled(){
test_rpm_uninstalled "avahi*"
}

#2.2.4 Ensure CUPS is not installed   

cpus_uninstalled(){
test_rpm_uninstalled "cpus"
}
#2.2.5 Ensure DHCP Server is not installed   
dhcp_uninstalled(){
test_rpm_uninstalled "dhcp"
}

#2.2.6 Ensure LDAP server is not installed   
ldap_uninstalled(){
test_rpm_uninstalled "openldap-servers"
}

#2.2.7 Ensure DNS Server is not installed   
dns_uninstalled(){
test_rpm_uninstalled "bind"
}

#2.2.8 Ensure FTP Server is not installed   
ftp_uninstalled(){
test_rpm_uninstalled "vsftpd"
}

#2.2.9 Ensure HTTP server is not installed   
http_uninstalled(){
test_rpm_uninstalled "httpd"
}

#2.2.10 Ensure IMAP and POP3 server is not installed   
imap_uninstalled(){
test_rpm_uninstalled "dovecot"
}

#2.2.11 Ensure Samba is not installed   
samba_uninstalled(){
test_rpm_uninstalled "samba"
}
#2.2.12 Ensure HTTP Proxy Server is not installed   
squid_uninstalled(){
test_rpm_uninstalled "squid"
}

#2.2.13 Ensure net-snmp is not installed   
snmp_uninstalled(){
test_rpm_uninstalled "net-snmp"
}

#2.2.14 Ensure NIS server is not installed   
nis_uninstalled(){
test_rpm_uninstalled "ypserv"
}
#2.2.15 Ensure telnet-server is not installed   
telnet_uninstalled(){
test_rpm_uninstalled "telnet-server"
}

#2.2.16 Ensure mail transfer agent is configured for local-only mode   
mta_local_only(){
test_mta_local_only
}

#2.2.17 Ensure nfs-utils is not installed or the nfs-server service is masked 
nfs_services_disabled(){
test_nfs_services_disabled
}

#2.2.18 Ensure rpcbind is not installed or the rpcbind services are masked 
rpcbind_services_disabled(){
test_rpcbind_services_disabled
}
#2.2.19 Ensure rsync is not installed or the rsyncd service is masked   
rsync_uninstalled(){
test_rpm_uninstalled "rsync"
}

#2.3 Service Clients
#2.3.1 Ensure NIS Client is not installed   
nis_cli_uninstalled(){
test_rpm_uninstalled "ypbind"
}
#2.3.2 Ensure rsh client is not installed   
rsh_cli_uninstalled(){
test_rpm_uninstalled "rsh"
}
#2.3.3 Ensure talk client is not installed   
talk_cli_uninstalled(){
test_rpm_uninstalled "talk"
}
#2.3.4 Ensure telnet client is not installed   
telnet_cli_uninstalled(){
test_rpm_uninstalled "telnet"
}
#2.3.5 Ensure LDAP client is not installed   
ldap_cli_uninstalled(){
test_rpm_uninstalled "openldap-clients"
}
#2.4 Ensure nonessential services are removed or masked


#3 Network Configuration
#3.1 Disable unused network protocols and devices 
#3.1.1 Disable IPv6   
ipv6_disabled(){
test_ipv6_disabled
}
#3.1.2 Ensure wireless interfaces are disabled   
wireless_disabled(){
test_wireless_if_disabled
}

#3.2 Network Parameters (Host Only)  
#3.2.1 Ensure IP forwarding is disabled   
forward_disabled(){
test_sysctl net.ipv4.ip_forward 0
}

#3.2.2 Ensure packet redirect sending is disabled   
redirect_disabled(){
test_net_ipv4_conf_all_default send_redirects 0
}

#3.3 Network Parameters (Host and Router) 
#3.3.1 Ensure source routed packets are not accepted   
routed_accepted(){
test_net_ipv4_conf_all_default accept_source_route 0
}
#3.3.2 Ensure ICMP redirects are not accepted   
icmp_redirects(){
test_net_ipv4_conf_all_default accept_source_route 0
}
#3.3.3 Ensure secure ICMP redirects are not accepted   
icmp_secure_redirects(){
test_net_ipv4_conf_all_default secure_redirects 0
}

#3.3.4 Ensure suspicious packets are logged   
logged_suspicious(){
test_net_ipv4_conf_all_default log_martians 1
}
#3.3.5 Ensure broadcast ICMP requests are ignored   
icmp_broadcast(){
test_sysctl net.ipv4.icmp_echo_ignore_broadcasts 1
}
#3.3.6 Ensure bogus ICMP responses are ignored   
icmp_bogus(){
test_sysctl net.ipv4.icmp_ignore_bogus_error_responses 1
}
#3.3.7 Ensure Reverse Path Filtering is enabled   
reverse_path(){
test_net_ipv4_conf_all_default rp_filter 1
}
#3.3.8 Ensure TCP SYN Cookies is enabled   
syncookies_enabled(){
test_sysctl net.ipv4.tcp_syncookies 1
}
#3.3.9 Ensure IPv6 router advertisements are not accepted   
ipv6_router(){
test_net_ipv6_conf_all_default accept_ra 0
}
#3.4 Uncommon Network Protocols 
#3.4.1 Ensure DCCP is disabled   
dccp_disabled(){
test_module_disabled dccp
}
#3.4.2 Ensure SCTP is disabled   
sctp_disabled(){
test_module_disabled sctp
}
#3.5 Firewall Configuration 
firewall_all_uninstalled(){
test_rpm_installed firewalld || test_rpm_installed iptables_services || test_rpm_installed nftables || return 1
return 0
}
#3.5.1 Configure firewalld 
#3.5.1.1 Ensure firewalld is installed   
firewalld_installed(){
test_rpm_installed firewalld  && test_rpm_uninstalled iptables-services &&  test_rpm_uninstalled nftables
}
#3.5.1.2 Ensure iptables-services not installed with firewalld   
#3.5.1.3 Ensure nftables either not installed or masked with firewalld   
#3.5.1.4 Ensure firewalld service enabled and running   
firewalld_run(){
test_rpm_installed firewalld || return 2
test_service_enabled_run "firewalld"
}
#3.5.1.5 Ensure firewalld default zone is set   
firewalld_zone_set(){
test_rpm_installed firewalld || return 2    
test_firewalld_zone_set
}
#3.5.1.6 Ensure network interfaces are assigned to appropriate zone   
firewalld_interfaces_zone(){
test_rpm_installed firewalld || return 2    
test_firewalld_interfaces_zone
}
#3.5.1.7 Ensure firewalld drops unnecessary services and ports  (Manual) 
#3.5.2 Configure nftables 
#3.5.2.1 Ensure nftables is installed   
nftables_installed(){
test_rpm_installed nftables  && test_rpm_uninstalled iptables-services &&  test_rpm_uninstalled firewalld    
}
#3.5.2.2 Ensure firewalld is either not installed or masked with nftables 
#3.5.2.3 Ensure iptables-services not installed with nftables   
#3.5.2.4 Ensure iptables are flushed with nftables   
iptables_empty(){
test_rpm_installed iptables-services || return 2     
test_iptables_empty
}
#3.5.2.5 Ensure an nftables table exists   
nftables_table(){
test_rpm_installed nftables || return 2     
test_nftables_table
}
#3.5.2.6 Ensure nftables base chains exist   
nftables_base_chains(){
test_rpm_installed nftables || return 2     
test_nftables_base_chains
}
#3.5.2.7 Ensure nftables loopback traffic is configured   
nftables_loopback(){
test_rpm_installed nftables || return 2     
test_nftables_loopback
}
#3.5.2.8 Ensure nftables outbound and established connections are configured 
nftables_outbound_established_connections(){
test_rpm_installed nftables || return 2     
test_nftables_outbound_established_connections
}
#3.5.2.9 Ensure nftables default deny firewall policy   
nftables_default_deny_policy(){
test_rpm_installed nftables || return 2     
test_nftables_default_deny_policy
}
#3.5.2.10 Ensure nftables service is enabled   
nftables_enabled(){
test_rpm_installed nftables || return 2     
test_service_enabled "nftables"
}
#3.5.2.11 Ensure nftables rules are permanent   
nftables_persistent_rules(){
test_rpm_installed nftables || return 2     
test_nftables_persistent_rules
}
#3.5.3 Configure iptables 
#3.5.3.1.1 Ensure iptables packages are installed   
iptables_installed(){
test_rpm_installed iptables && test_rpm_installed "iptables-services"  && test_rpm_uninstalled firewalld &&  test_rpm_uninstalled nftables 
}
#3.5.3.1.2 Ensure nftables is not installed with iptables   
#3.5.3.1.3 Ensure firewalld is either not installed or masked with iptables 
#3.5.3.2.1 Ensure iptables loopback traffic is configured   
iptables_loopback(){
test_rpm_installed iptables && test_rpm_installed "iptables-services" || return 2    
test_iptables_loopback
}
#3.5.3.2.2 Ensure iptables outbound and established connections are configured 
iptables_outbound_and_established(){
test_rpm_installed iptables && test_rpm_installed "iptables-services" || return 2    
test_iptables_outbound_and_established
}
#3.5.3.2.3 Ensure iptables rules exist for all open ports   
iptables_rules_for_open_ports(){
test_rpm_installed iptables && test_rpm_installed "iptables-services" || return 2    
test_iptables_rules_for_open_ports "iptables"
}
#3.5.3.2.4 Ensure iptables default deny firewall policy   
iptables_default_deny_policy(){
test_rpm_installed iptables && test_rpm_installed "iptables-services" || return 2    
test_iptables_default_deny_policy "iptables"
}
#3.5.3.2.5 Ensure iptables rules are saved   
iptables_rules_saved(){
test_rpm_installed iptables && test_rpm_installed "iptables-services" || return 2    
test_iptables_rules_saved "iptables"
}
#3.5.3.2.6 Ensure iptables is eblesnabled and running   
iptables_run(){
test_rpm_installed iptables && test_rpm_installed "iptables-services" || return 2    
test_service_enabled_run "iptables"
}
#3.5.3.3.1 Ensure ip6tables loopback traffic is configured   
ip6tables_loopback(){
test_rpm_installed iptables && test_rpm_installed "iptables-services" || return 2    
test_ip6tables_loopback
}
#3.5.3.3.2 Ensure ip6tables outbound and established connections are configured 
ip6tables_outbound_and_established(){
test_rpm_installed iptables && test_rpm_installed "iptables-services" || return 2    
test_ip6tables_outbound_established
}
#3.5.3.3.3 Ensure ip6tables firewall rules exist for all open ports   
ip6tables_rules_for_open_ports(){
test_rpm_installed iptables && test_rpm_installed "iptables-services" || return 2    
test_iptables_rules_for_open_ports "ip6tables"
}
#3.5.3.3.4 Ensure ip6tables default deny firewall policy   
ip6tables_default_deny_policy(){
test_rpm_installed iptables && test_rpm_installed "iptables-services" || return 2    
test_iptables_default_deny_policy "ip6tables"
}
#3.5.3.3.5 Ensure ip6tables rules are saved   
ip6tables_rules_saved(){
test_rpm_installed iptables && test_rpm_installed "iptables-services" || return 2    
test_iptables_rules_saved "ip6tables"
}
#3.5.3.3.6 Ensure ip6tables is enabled and running 
ip6tables_run(){
test_rpm_installed iptables && test_rpm_installed "iptables-services" || return 2    
test_service_enabled_run "ip6tables"
}

#4 Logging and Auditing                                                                                                                            
#4.1.1 Ensure auditing is enabled
#4.1.1.1 Ensure auditd is installed
audit_installed(){
test_rpm_installed "audit" && test_rpm_installed  "audit-libs" || return 2
}
#4.1.1.2 Ensure auditd service is enabled and running
audit_run(){
test_rpm_installed "audit" && test_rpm_installed  "audit-libs" || return 2    
test_service_enabled_run "auditd"
}
#4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled
audit_prior(){
test_rpm_installed "audit" && test_rpm_installed  "audit-libs" || return 2    
test_audit_procs_prior_2_auditd
}
#4.1.2 Configure Data Retention
#4.1.2.1 Ensure audit log storage size is configured
audit_size(){
test_rpm_installed "audit" && test_rpm_installed  "audit-libs" || return 2    
test_audit_log_storage_size
}
#4.1.2.2 Ensure audit logs are not automatically deleted
audit_not_deleted(){
test_rpm_installed "audit" && test_rpm_installed  "audit-libs" || return 2    
test_keep_all_audit_info
}
#4.1.2.3 Ensure system is disabled when audit logs are full
audit_full(){
test_rpm_installed "audit" && test_rpm_installed  "audit-libs" || return 2    
test_dis_on_audit_log_full
}
#4.1.2.4 Ensure audit_backlog_limit is sufficient
audit_backlog_limit(){
test_rpm_installed "audit" && test_rpm_installed  "audit-libs" || return 2    
test_audit_backlog_limit
}
#4.1.3 Ensure events that modify date and time information are collected
audit_date_time(){
test_rpm_installed "audit" && test_rpm_installed  "audit-libs" || return 2    
test_audit_date_time
}
#4.1.4 Ensure events that modify user/group information are collected
audit_user_group(){
test_rpm_installed "audit" && test_rpm_installed  "audit-libs" || return 2    
test_audit_user_group
}
#4.1.5 Ensure events that modify the system's network environment are collected
audit_network_env(){
test_rpm_installed "audit" && test_rpm_installed  "audit-libs" || return 2    
test_audit_network_env
}
#4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected  
audit_sys_mac(){
test_rpm_installed "audit" && test_rpm_installed  "audit-libs" || return 2    
test_audit_sys_mac
}
#4.1.7 Ensure login and logout events are collected   
audit_logins_logouts(){
test_rpm_installed "audit" && test_rpm_installed  "audit-libs" || return 2    
test_audit_logins_logouts
}
#4.1.8 Ensure session initiation information is collected   
audit_session_init(){
test_rpm_installed "audit" && test_rpm_installed  "audit-libs" || return 2    
test_audit_session_init
}
#4.1.9 Ensure discretionary access control permission modification events are collected   
audit_dac_perm_mod_events(){
test_rpm_installed "audit" && test_rpm_installed  "audit-libs" || return 2    
test_audit_dac_perm_mod_events
}
#4.1.10 Ensure unsuccessful unauthorized file access attempts are collected 
unsuc_unauth_acc_attempts(){
test_rpm_installed "audit" && test_rpm_installed  "audit-libs" || return 2    
test_unsuc_unauth_acc_attempts
}
#4.1.11 Ensure use of privileged commands is collected   
coll_priv_cmds(){
test_rpm_installed "audit" && test_rpm_installed  "audit-libs" || return 2    
test_coll_priv_cmds
}
#4.1.12 Ensure successful file system mounts are collected   
coll_suc_fs_mnts(){
test_rpm_installed "audit" && test_rpm_installed  "audit-libs" || return 2    
test_coll_suc_fs_mnts
}
#4.1.13 Ensure file deletion events by users are collected   
coll_file_del_events(){
test_rpm_installed "audit" && test_rpm_installed  "audit-libs" || return 2    
test_coll_file_del_events
}
#4.1.14 Ensure changes to system administration scope (sudoers) is collected 
coll_chg2_sysadm_scope(){
test_rpm_installed "audit" && test_rpm_installed  "audit-libs" || return 2    
test_coll_chg2_sysadm_scope
}
#4.1.15 Ensure system administrator command executions (sudo) are collected 
coll_sysadm_actions(){
test_rpm_installed "audit" && test_rpm_installed  "audit-libs" || return 2    
test_coll_sysadm_actions
}
#4.1.16 Ensure kernel module loading and unloading is collected   
kmod_lod_unlod(){
test_rpm_installed "audit" && test_rpm_installed  "audit-libs" || return 2    
test_kmod_lod_unlod
}
#4.1.17 Ensure the audit configuration is immutable   
audit_cfg_immut(){
test_rpm_installed "audit" && test_rpm_installed  "audit-libs" || return 2    
test_audit_cfg_immut
}
#4.2 Configure Logging     
#4.2.1 Configure rsyslog                                                                           
#4.2.1.1 Ensure rsyslog is installed   
rsyslog_installed(){
test_rpm_installed "rsyslog"
}
#4.2.1.2 Ensure rsyslog Service is enabled and running   
rsyslog_run(){
test_rpm_installed "rsyslog" || return 2    
test_service_enabled_run "rsyslog"
}
#4.2.1.3 Ensure rsyslog default file permissions configured   
rsyslog_file_perssion(){
test_rpm_installed "rsyslog" || return 2    
test_rsyslog_file_perssion
}
#4.2.1.4 Ensure logging is configured   
rsyslog_configured(){
test_rpm_installed "rsyslog" || return 2    
test_rsyslog_configured
}
#4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host                                                       
rsyslog_content(){
test_rpm_installed "rsyslog" || return 2    
test_rsyslog_content
}
#4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts.   
#4.2.2.1 Ensure journald is configured to send logs to rsyslog   
rsyslog_forwardToSyslog(){
test_rpm_installed "rsyslog" || return 2     
test_rsyslog_journald "^\s*ForwardToSyslog=yes"
}
#4.2.2.2 Ensure journald is configured to compress large log files   
rsyslog_compress(){
test_rpm_installed "rsyslog" || return 2     
test_rsyslog_journald "^\s*Compress=yes"
}
#4.2.2.3 Ensure journald is configured to write logfiles to persistent disk 
rsyslog_storage(){
test_rpm_installed "rsyslog" || return 2     
test_rsyslog_journald "^\s*Storage=persistent"
}
#4.2.3 Ensure permissions on all logfiles are configured   
var_log_files_permissions(){
test_var_log_files_permissions
}
#4.2.4 Ensure logrotate is configured   
logrotate_configured(){
test_logrotate_configured
}

#5 Access, Authentication and Authorization                       
#5.1 Configure time-based job schedulers                             
#5.1.1 Ensure cron daemon is enabled and running   
cron_run(){
test_service_enabled_run "crond"
}
#5.1.2 Ensure permissions on /etc/crontab are configured   
cron_permissions(){
test_permissions_0600_root_root /etc/crontab
}
#5.1.3 Ensure permissions on /etc/cron.hourly are configured   
cron_hourly_permissions(){
test_permissions_0600_root_root /etc/cron.hourly
}
#5.1.4 Ensure permissions on /etc/cron.daily are configured   
cron_daily_permissions(){
test_permissions_0600_root_root /etc/cron.daily 
}
#5.1.5 Ensure permissions on /etc/cron.weekly are configured   
cron_weekly_permissions(){
test_permissions_0600_root_root /etc/cron.weekly
}
#5.1.6 Ensure permissions on /etc/cron.monthly are configured   
cron_monthly_permissions(){
test_permissions_0600_root_root /etc/cron.monthly
}
#5.1.7 Ensure permissions on /etc/cron.d are configured   
crond_permissions(){
test_permissions_0700_root_root /etc/cron.d
}
#5.1.8 Ensure cron is restricted to authorized users   
cron_auth(){
test_at_cron_auth_users
}
#5.1.9 Ensure at is restricted to authorized users   
at_auth(){
test_at_cron_auth_users
}
#5.2 Configure sudo                                                     
#5.2.1 Ensure sudo is installed   
sudo_installed(){
test_rpm_installed "sudo"
}
#5.2.2 Ensure sudo commands use pty   
sudo_use_pty(){
test_rpm_installed "sudo" || return 2    
test_sudo_use_pty
}
#5.2.3 Ensure sudo log file exists   
sudo_log_file_configured(){
test_rpm_installed "sudo" || return 2    
test_sudo_log_file_configured
}
#5.3 Configure SSH Server                                                                                          
#5.3.1 Ensure permissions on /etc/ssh/sshd_config are configured    
ssh_permissions(){
test_permissions_0600_root_root /etc/ssh/sshd_config
}
#5.3.2 Ensure permissions on SSH private host key files are configured 
ssh_private_permissions(){
test_ssh_keys_permissions "ssh_host_*_key"
}
#5.3.3 Ensure permissions on SSH public host key files are configured                                                                               
ssh_public_permissions(){
test_ssh_keys_permissions "ssh_host_*_key.pub"
}
#5.3.4 Ensure SSH access is limited 
ssh_limited(){
test_ssh_access
}
#5.3.5 Ensure SSH LogLevel is appropriate   
ssh_loglevel(){
test_ssh_loglevel
}
#5.3.6 Ensure SSH X11 forwarding is disabled   
ssh_x11_disabled(){
test_param "${SSHD_CFG}" X11Forwarding no
}
#5.3.7 Ensure SSH MaxAuthTries is set to 4 or less   
ssh_MaxAuthTries_le4(){
test_ssh_param_le MaxAuthTries 4
}
#5.3.8 Ensure SSH IgnoreRhosts is enabled   
ssh_IgnoreRhosts_enabled(){
test_param "${SSHD_CFG}" IgnoreRhosts yes
}
#5.3.9 Ensure SSH HostbasedAuthentication is disabled   
ssh_HostbasedAuthentication_disabled(){
test_param "${SSHD_CFG}" HostbasedAuthentication no
}
#5.3.10 Ensure SSH root login is disabled   
ssh_PermitRootLogin_disabled(){
test_param "${SSHD_CFG}" PermitRootLogin no
}
#5.3.11 Ensure SSH PermitEmptyPasswords is disabled   
ssh_PermitEmptyPasswords_disabled(){
test_param "${SSHD_CFG}" PermitEmptyPasswords no
}
#5.3.12 Ensure SSH PermitUserEnvironment is disabled   
ssh_PermitUserEnvironment_disabled(){
test_param "${SSHD_CFG}" PermitUserEnvironment no
}
#5.3.13 Ensure only strong Ciphers are used   
ssh_ciphers(){
test_ssh_strong_rule "^\s*ciphers\s+([^#]+,)?(3des-cbc|aes128-cbc|aes192-cbc|aes256-cbc|arcfour|arcfour128|arcfour256|blowfish-cbc|cast128-cbc|rijndael- cbc@lysator.liu.se)\b"
}
#5.3.14 Ensure only strong MAC algorithms are used   
ssh_MACAlg(){
test_ssh_strong_rule "^\s*macs\s+([^#]+,)?(hmac-md5|hmac-md5-96|hmac-ripemd160|hmac- sha1|hmac-sha1-96|umac-64@openssh\.com|hmac-md5-etm@openssh\.com|hmac-md5-96- etm@openssh\.com|hmac-ripemd160-etm@openssh\.com|hmac-sha1- etm@openssh\.com|hmac-sha1-96-etm@openssh\.com|umac-64-etm@openssh\.com|umac- 128-etm@openssh\.com)\b"
}
#5.3.15 Ensure only strong Key Exchange algorithms are used   
ssh_KeyExchAlg(){
test_ssh_strong_rule "^\s*kexalgorithms\s+([^#]+,)?(diffie-hellman-group1-sha1|diffie- hellman-group14-sha1|diffie-hellman-group-exchange-sha1)\b"
}
#5.3.16 Ensure SSH Idle Timeout Interval is configured   
ssh_idle_timeout(){
test_ssh_idle_timeout
}
#5.3.17 Ensure SSH LoginGraceTime is set to one minute or less   
ssh_LoginGraceTime_le60(){
test_ssh_param_le LoginGraceTime 60
}
#5.3.18 Ensure SSH warning banner is configured   
ssh_banner_configured(){
test_param "${SSHD_CFG}" Banner /etc/issue.net
}
#5.3.19 Ensure SSH PAM is enabled   
ssh_pam_enabled(){
test_ssh_strong_rule "^\s*UsePAM\s+no"
}
#5.3.20 Ensure SSH AllowTcpForwarding is disabled   
ssh_AllowTcpForwarding_disabled(){
test_ssh_strong_rule "^\s*AllowTcpForwarding\s+yes"
}
#5.3.21 Ensure SSH MaxStartups is configured   
ssh_MaxStartups_configured(){
test_ssh_strong_rule "^\s*maxstartups\s+(((1[1-9]|[1-9][0-9][0-9]+):([0-9]+):([0-9]+))|(([0-9]+):(3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):([0-9]+))|(([0-9]+):([0-9]+):(6[1-9]|[7-9][0-9]|[1-9][0-9][0-9]+)))"
}
#5.3.22 Ensure SSH MaxSessions is limited   
ssh_MaxStartups_limited(){
test_ssh_strong_rule "^\s*MaxSessions\s+(1[1-9]|[2-9][0-9]|[1-9][0-9][0-9]+)"
}
#5.4 Configure PAM                                                       
#5.4.1 Ensure password creation requirements are configured   
pam_pwquality(){
test_pam_pwquality
}
#5.4.2 Ensure lockout for failed password attempts is configured   
pam_lockout(){
test_password_lockout_configured
}
#5.4.3 Ensure password hashing algorithm is SHA-512   
pam_SHA512(){
test_password_algorithm
}
#5.4.4 Ensure password reuse is limited   
pam_limited(){
test_password_history
}
#5.5 User Accounts and Environment                      
#5.5.1 Set Shadow Password Suite Parameters          
#5.5.1.1 Ensure password expiration is 365 days or less   
password_expiration_365(){
test_password_expiration
}
#5.5.1.2 Ensure minimum days between password changes is configured 
password_changes_1(){
test_password_minium_change
}
#5.5.1.3 Ensure password expiration warning days is 7 or more   
password_expiration_warn(){
test_password_expiration_warn
}
#5.5.1.4 Ensure inactive password lock is 30 days or less   
password_lock30(){
test_password_lock
}
#5.5.1.5 Ensure all users last password change date is in the past  让passwd自动过期，不应该修改密码时间大于当前时间
password_date(){
test_password_date
}
#5.5.2 Ensure system accounts are secured   
system_security_configured(){
local insecure_accounts=$(test_system_accounts_configured)
local insecure_passwords=$(test_password_status_configured)
if [ -z "$insecure_accounts" ] && [ -z "$insecure_passwords" ]; then
return
else
return 1
fi
}

#5.5.3 Ensure default group for the root account is GID 0   
root_gid0(){
test_root_group_id
}
#5.5.4 Ensure default user shell timeout is configured   
shell_timeout(){
test_default_shell_timeout_configured
}
#5.5.5 Ensure default user umask is configured   
umask_configured(){
test_default_user_umask_configured
}
#5.6 Ensure root login is restricted to system console   (Manual) 
#5.7 Ensure access to the su command is restricted   
su_restricted(){
test_access_to_su_command_restricted
}

#6 System Maintenance                                                       
#6.1 System File Permissions               
#6.1.1 Audit system file permissions   
system_file_permissions(){
test_system_file_perms
}
#6.1.2 Ensure permissions on /etc/passwd are configured   
etcpasswd_permissions(){
test_permissions_0644_root_root ${PASSWD}
}
#6.1.3 Ensure permissions on /etc/passwd- are configured   
etcpasswd_bak_permissions(){
test_permissions_0644_root_root ${PASSWD}-
}
#6.1.4 Ensure permissions on /etc/shadow are configured   
shadow_permissions(){
test_permissions_0000_root_root ${SHADOW}
}
#6.1.5 Ensure permissions on /etc/shadow- are configured   
shadow_bak_permissions(){
test_permissions_0000_root_root ${SHADOW}-
}
#6.1.6 Ensure permissions on /etc/gshadow- are configured   
gshadow_bak_permissions(){
test_permissions_0000_root_root ${GSHADOW}-
}
#6.1.7 Ensure permissions on /etc/gshadow are configured   
gshadow_permissions(){
test_permissions_0000_root_root ${GSHADOW}
}
#6.1.8 Ensure permissions on /etc/group are configured   
group_permissions(){
test_permissions_0644_root_root ${GROUP}
}
#6.1.9 Ensure permissions on /etc/group- are configured   
group_bak_permissions(){
test_permissions_0644_root_root ${GROUP}-
}
#6.1.10 Ensure no world writable files exist   
wrld_writable_files(){
test_wrld_writable_files
}
#6.1.11 Ensure no unowned files or directories exist   
unowned_files(){
test_unowned_files
}
#6.1.12 Ensure no ungrouped files or directories exist   
ungrouped_files(){
test_ungrouped_files
}
#6.1.13 Audit SUID executables   
suid_executables(){
test_suid_executables
}
#6.1.14 Audit SGID executables   
sgid_executables(){
test_sgid_executables
}
#6.2 User and Group Settings      
#6.2.1 Ensure accounts in /etc/passwd use shadowed passwords   
passwd_use_shadowed(){
test_passwd_use_shadowed
}
#6.2.2 Ensure /etc/shadow password fields are not empty   
shadow_empty(){
test_shadow_empty
}
#6.2.3 Ensure all groups in /etc/passwd exist in /etc/group   
group_in_passwd(){
test_group_in_passwd
}
#6.2.4 Ensure shadow group is empty   
group_empty(){
test_group_empty 
}
#6.2.5 Ensure no duplicate user names exist   
not_duplicate_passwd(){
test_no_duplicate_names "1" "$PASSWD"
}
#6.2.6 Ensure no duplicate group names exist   
not_duplicate_group(){
test_no_duplicate_names "1" "$GROUP"
}
#6.2.7 Ensure no duplicate UIDs exist   
not_duplicate_uid(){
test_not_duplicate_uid 
}
#6.2.8 Ensure no duplicate GIDs exist   
not_duplicate_gid(){
test_no_duplicate_names "3" "$GROUP"
}
#6.2.9 Ensure root is the only UID 0 account   
uid_0(){
test_uid_0
}
#6.2.10 Ensure root PATH Integrity   
root_path_integrity(){
test_root_path_integrity
}
#6.2.11 Ensure all users' home directories exist   
users_home_exist(){
test_users_home
}
#6.2.12 Ensure users own their home directories   
users_home_own(){
test_users_home "own"
}
#6.2.13 Ensure users' home directories permissions are 750 or more restrictive 
users_home_permissions(){
test_users_home "permissions"
}
#6.2.14 Ensure users' dot files are not group or world writable   
users_home_dot(){
test_users_home "dot"
}
#6.2.15 Ensure no users have .forward files   
users_home_forward(){
test_users_home "forward"
}
#6.2.16 Ensure no users have .netrc files   
users_home_netrc(){
test_users_home "netrc"
}

#6.2.17 Ensure no users have .rhosts files   
users_home_rhosts(){
test_users_home "rhosts"
}
